Each defendant also helped IT employees pass employer screening procedures. For example, Travis and Salazar appeared for drug testing on behalf of the workers.
Travis, an active-duty member of the U.S. Army at the time, received at least $51,397 for his participation in the scheme. Fagansay and Salazar earned at least $3,450 and $4,500, respectively. In total, the fraudulent jobs netted about $1.28 million in salary payments from defrauded US companies, the majority of which was sent to IT workers overseas.
The fifth defendant, Ukrainian citizen Oleksandr Didenko, pleaded guilty to one count of aggravated identity theft in addition to wire fraud. He admitted participating in “a years-long scheme that stole the identities of American citizens and sold them to foreign IT workers, including North Korean IT workers, so they could fraudulently obtain employment at 40 American companies.” Didenko received hundreds of thousands of dollars from victimized companies that hired fraudulent applicants. As part of the plea agreement, Didenko is forfeiting more than $1.4 million, including more than $570,000 in fiat and virtual currency seized from him and his co-conspirators.
In 2022, the US Treasury Department said the Democratic People’s Republic of Korea employs thousands of skilled IT workers around the world to generate revenue for the country’s weapons of mass destruction and ballistic missile programs.
“In many cases, DPRK IT employees represent themselves as U.S.-based and/or non-North Korean teleworkers,” Treasury Department officials wrote. “Workers may further obscure their identity and/or location by subcontracting work to non-North Koreans. Although DPRK IT employees generally engage in IT work separate from malicious cyber activity, they have used the privileged access they gained as contractors to enable malicious cyber intrusions of the DPRK. Additionally, there are instances where workers are subjected to forced labor.”
Other US government advisories posted in 2023 and 2024 regarding similar programs have been removed without explanation.
In Friday’s release, the Justice Department also said it is seeking to seize more than $15 million worth of USDT, a cryptocurrency stablecoin pegged to the U.S. dollar, that the FBI seized from North APT38 actors in March. The seized funds were obtained from four thefts carried out by APT38, two in July 2023 against virtual currency payment processors in Estonia and Panama and two in November 2023 against exchanges in Panama and Seychelles.
The Justice Department said efforts are ongoing to locate, seize and seize all stolen assets as APT38 laundered them through virtual currency bridges, mixers, exchanges and over-the-counter traders.